Welcome Guest, Not a member yet? Register   Sign In
"Remember Me" for regular CodeIgniter 4 sessions
#1

Hello colleagues!

I am developing a simple free system of control of the site on CodeIgniter 4. I successfully implemented the basic functionality for control of the site, but i faced a problem that is difficult to solve myself. In all the systems that I saw, there is an option "remember me" in the form of authorization in the admin area. I looked at the framework documentation, and a bit of the source code of the session library, but I didn’t have any idea how to make the framework set up a cookie without a lifetime that only works until the browser is closed. Pay attention that the question is exactly how to do this dynamically, for a particular login, not the whole system.

I would appreciate the advice on how to do this without interfering with the source code of the framework.

If you want to help, or just watch the new system, then here is the link to the source code and installation instruction: https://github.com/basic-app/basic-app

Basic App, an open source simple CMS based on CodeIgniter 4
Reply
#2

Look at Lonnie's Myth Auth should set you in the right direction.

Lonnie Ezell - Myth Auth
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#3

(02-25-2019, 09:31 AM)InsiteFX Wrote: Look at Lonnie's Myth Auth should set you in the right direction.

Lonnie Ezell - Myth Auth

Thank you, I looked at the solution that you offer, it has a memory function implemented through a separate cookie called remember, but for me the right solution would be to change the property of the main cookie ci_session, which the framework puts to identify the main session through the session library.

Basic App, an open source simple CMS based on CodeIgniter 4
Reply
#4

No, a remember me cookie holds a user token to identify them.

A remember me cookie is not the same as a session cookie.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#5

(02-25-2019, 11:28 AM)InsiteFX Wrote: No, a remember me cookie holds a user token to identify them.

A remember me cookie is not the same as a session cookie.

I would like to use standard sessions for storing authorization data, and not to do it by some other method, but it seems like there is no need for additional cookies.
 
Probably, I will implement such a scheme:
 
- when authoring with the remember_me flag, a separate cookie without a lifetime is created, which contains a random key
- the same random key is written to the session along with the user number for authorization
- the authorization mechanism, if it sees a random key in a session, tries to get it from a cookie, and if there is no cookie, then the authorization is not valid
 
and at the same time the main session is not destroyed, just overwrite user_id in it

Basic App, an open source simple CMS based on CodeIgniter 4
Reply
#6

If you're going the route of rolling your own, be sure to check out best practices that others have already done. This article from the Paragon Initiative is an excellent guide.
Reply
#7

(02-26-2019, 08:21 AM)kilishan Wrote: If you're going the route of rolling your own, be sure to check out best practices that others have already done. This article from the Paragon Initiative is an excellent guide.

The practices written in the article are well applicable to the case when the remember_me option allows the authorization of the user to live longer than the framework session. At the moment I do not set such a goal, my task is the reverse, so that in the absence of the remember_me flag, authorization is lost after the user has closed the browser.
See what I found in the code of the library you offer in the myth-auth/src/Authentication/LocalAuthenticator file.php in the check function

PHP Code:
if ($this->isLoggedIn())
{
    return 
true;
}
// Check the remember me functionality.
helper('cookie');
$remember get_cookie('remember');
.... 

In this code we can see that if the framework session has authorization, then the user is authorized. A session framework at basic settings is not destroyed when you close the browser. Therefore, this solution does not suit me, because it does not implement my main task.

I realized what I wrote about above in the Baisic App, who are interested, you can see here: 

https://github.com/basic-app/module-admi...hTrait.php

In fact, I made a cookie "don't remember me", which is required only if the user does not put the flag when authorizing remeber me, and if the flag remember me is, the authorization occurs as usual.

PS: I draw attention to the fact that modern browsers with basic settings may not support session cookies, and this will not work. For example, in Google Chrome, these are the options "Continue where you left off" and "Continue running background apps when Google Chrome is closed".

Basic App, an open source simple CMS based on CodeIgniter 4
Reply




Theme © iAndrew 2016 - Forum software by © MyBB